Mobile ads can hijack your phone and steal your contacts

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

NEW YORK (CNNMoney) — Those pesky pop-up ads from the ’90s are back, but this time they’re holding your smartphone hostage.

Tens of thousands of smartphone apps are running ads from rogue advertising networks that change smartphone settings and take contact information without permission, according to a new study released Monday, July 9th.

Aggressive ad networks can disguise ads as text message notifications or app icons, and sometimes change browser settings and bookmarks. Often, the ads will upload your contacts list to the ad network’s servers — information the ad network can then sell to marketers

Sounds scary? It’s not a giant problem yet, but it’s a growing one. As many as 5% of free mobile apps use an “aggressive” ad network to make money, according to Lookout, a San Francisco-based mobile security company.

With millions of mobile apps in stores, that small sliver adds up to a big number. The study found that 19,200 of the 384,000 apps it tested used malicious ad networks. Those apps have been downloaded a whopping 80 million times.

PhoneLiving is the most prevalent app developer to use these kinds of ad networks — their dozens of talking animal apps have been downloaded 10 million times, according to Lookout. PhoneLiving could not be reached for comment, as its website — aside from its homepage — returns nothing but error messages.

The most popular type of apps that use aggressive ad networks are “personalization” apps, which include wallpapers. Comic, arcade and entertainment apps are also among the most likely to have rogue ad networks running behind the scenes.

Like aggressive pop-ups on PCs, the bad software isn’t easy to shed. Though the damage can typically be reversed by deleting the app, it can be hard to pinpoint which app is causing the problems.

“Sometimes you download 10 apps at a time, so you don’t know which is responsible,” said Kevin Mahaffey, Lookout’s CTO. “It’s not unlike adware in the early PC days.”

When developers create free mobile apps, they usually make money through ads displayed within the app. That free version of Angry Birds didn’t cost you anything because of the pop-up ad that appears right as you’re catapulting the red bird at its target.

The vast majority of ads run on well-known ad networks like Jumptap, Apple’s iAd and Google’s AdMob. They collect some information about their users, but they don’t go to the extremes of uploading contact lists and changing settings.

The appeal of the ad networks that Lookout gently calls “aggressive” is that they generate more revenue for app developers.

Android ad network Airpush, for example, places ads in users’ notification bars and home pages. That generates more clicks — and more money for developers — since even inactive users can view the ads.

Lookout has criticized Airpush in the past for being overly aggressive with its marketing techniques, but it remains the second-biggest ad network for Android devices. Airpush does give users the option of opting out of its push notification ads.

Airpush representatives did not respond to a request for comment.

App makers don’t usually disclose what ad network they’re using, which makes it hard to avoid the known offenders. The best defense is to read reviews and avoid downloading apps that have attracted a trail of complaints.

Lookout’s Mahaffey says bad actors are more prevalent on Android phones than iPhones, because the Google Play app store has fewer restrictions and gatekeepers than Apple’s iTunes app store.

But the iPhone isn’t immune: Other ad networks Lookout considers aggressive include Moolah Media, Leadbolt and Mocean Mobile, all of which publish apps for both Android and iOS.